As the importance of computers and computing devices continues to increase in business, educational, and other environments, the need to store vast amounts of data has given rise to a type of network called a storage area network (SAN). A SAN is a specialized high-speed network especially adapted for interconnecting various types of data storage devices. Typically a SAN is used as a data storage pool for an enterprise or institution. Since large quantities of data may be stored on and retrieved from the SAN, it is typically located close to the point at which the data will be accessed, but aside for speed and simplicity, there is no reason why the SAN cannot be remote from the usage location. A number of SANs may also be interconnected in order to provide redundancy or increased storage capacity.
The data stored in a SAN may be confidential, proprietary, personal, commercially sensitive or otherwise in need of secure treatment. For this reason, pairs of machines in a SAN will typically authenticate each other prior to exchanging data. The Challenge Handshake Authentication Protocol (CHAP) is an example of a mechanism by which mutual authentication can be executed. CHAP is one of the Point-to-Point Protocol (PPP) suites of protocols. By way of background, for dialing into a network, such as for dial-in internet access or RAS, a CHAP packet is transported in the data field of a PPP data link layer frame. With SANs, PPP is not involved, but instead the CHAP exchange is transported over the storage transfer protocol. The CHAP protocol involves a periodic verification of peer identity through a three way handshake process. Typically the handshaking process is performed when a link is first established, but it may also be repeated periodically as needed.
In order for the CHAP protocol to be used in a SAN, each pair of devices is configured with a shared secret known only among the machines of the pair. When one device needs to authenticate the other device, the first device will send a challenge to the second device. The other device is required to then derive a response to the challenge using both the challenge and the shared secret, and then return the response to the first device. The first device will then compare the response with the expected response based on the shared secret. If the received response and the expected response match, then the other device is deemed by the first device to be authentic. Typically, the process is repeated by the second device with respect to the first device so that the devices are mutually authenticated.
As noted above, the challenge handshake mechanism requires a separate shared secret for each pair of devices. As such, the configuration of shared secrets can be difficult to manage on larger networks. The RADIUS protocol allows challenge responses to be validated at the RADIUS server rather than at the individual machines. However, each machine must still be configured with the appropriate shared secret since it must still generate challenge responses.
A SAN device authentication mechanism is needed whereby devices may securely authenticate one another without requiring each machine to be configured with shared secrets for all potential peers.